luyadev · nadar · Oct 12, 2019 · Oct 11, 2019 · Oct 12, 2019
diff --git a/core/CHANGELOG.md b/core/CHANGELOG.md
@@ -5,6 +5,7 @@ In order to read more about upgrading and BC breaks have a look at the [UPGRADE
 
 ## 1.0.22
 
++ [#1967](https://github.com/luyadev/luya/pull/1967) New `corsConfig` option for Application in order to set application wide cors settings.
 + [#1964](https://github.com/luyadev/luya/pull/1964) Ensure console commands can return none scalar values to debug or prinit.
 + [#1962](https://github.com/luyadev/luya/issues/1962) Fix problem with first stack trace informations not containing line and file informations.
 + [#1963](https://github.com/luyadev/luya/pull/1963) Fix for theme bootstraping and layout loading.

diff --git a/core/traits/ApplicationTrait.php b/core/traits/ApplicationTrait.php
@@ -91,6 +91,48 @@ trait ApplicationTrait
      * ```
      */
     public $locales = [];
+
+    /**
+     * @var array An array to provide application wide CORS settings.
+     * 
+     * By default the X-Headers of Yii and LUYA Admin are exposed. In order to override the cors
+     * config the following example would work (including cors class definition).
+     * 
+     * ```php
+     * 'corsConfig' => [
+     * 'class' => 'yii\filters\Cors',
+     *     'cors' => [
+     *         'Origin' => ['*'],
+     *         'Access-Control-Request-Method' => ['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'HEAD', 'OPTIONS'],
+     *         'Access-Control-Request-Headers' => ['*'],
+     *         'Access-Control-Allow-Credentials' => null,
+     *         'Access-Control-Max-Age' => 86400,
+     *         'Access-Control-Expose-Headers' => [
+     *             'X-My-Header-Name',
+     *         ],
+     *     ],
+     * ]
+     * ```
+     * 
+     * @since 1.0.22
+     */
+    public $corsConfig = [
+        'class' => 'yii\filters\Cors',
+        'cors' => [
+            'Origin' => ['*'],
+            'Access-Control-Request-Method' => ['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'HEAD', 'OPTIONS'],
+            'Access-Control-Request-Headers' => ['*'],
+            'Access-Control-Allow-Credentials' => null,
+            'Access-Control-Max-Age' => 86400,
+            'Access-Control-Expose-Headers' => [
+                'X-Pagination-Current-Page', 
+                'X-Pagination-Page-Count',
+                'X-Pagination-Per-Page',
+                'X-Pagination-Total-Count',
+                'X-Cruft-Length',
+            ],
+        ],
+    ];
 
     /**
      * Add trace info to luya application trait

diff --git a/core/traits/RestBehaviorsTrait.php b/core/traits/RestBehaviorsTrait.php
@@ -8,7 +8,6 @@
 use yii\filters\auth\QueryParamAuth;
 use yii\filters\auth\HttpBearerAuth;
 use yii\filters\ContentNegotiator;
-use yii\filters\Cors;
 use yii\base\Model;
 use luya\rest\UserBehaviorInterface;
 use luya\web\filters\JsonCruftFilter;
@@ -139,7 +138,7 @@ public function behaviors()
         }
 
         if ($this->enableCors) {
-            $behaviors['cors'] = Cors::class;
+            $behaviors['cors'] = Yii::$app->corsConfig;
         }
 
         $behaviors['contentNegotiator'] = [

diff --git a/tests/core/traits/RestBehaviorsTraitTest.php b/tests/core/traits/RestBehaviorsTraitTest.php
@@ -93,4 +93,18 @@ public function testArrayUserAuthClass()
         $this->assertArrayHasKey('authenticator', $controller->behaviors());
         $this->assertInstanceOf('yii\web\User', $controller->behaviors()['authenticator']['user']);
     }
+
+    public function testCorsConfig()
+    {
+        $this->app->corsConfig = [
+            'class' => 'invalid\cors\class',
+        ];
+        $ctrl = new RestBehaviorsTraitTestStubWithoutUser('id', $this->app);
+        $ctrl->enableCors = true;
+
+        $behaviors = $ctrl->behaviors();
+
+        $this->assertSame(['class' => 'invalid\cors\class'], $behaviors['cors']);
+
+    }
 }